On 2017-02-23 03:03, David Turner wrote: > Actually, though, I am not sure this is as bad as it seems, because gssapi > might protect us. When I locally tried a fake server, git (libcurl) refused > to > send my Kerberos credentials because "Server not found in Kerberos > database". I don't have a machine set up with NTLM authentication > (because, apparently, that would be insane), so I don't know how to > confirm that gssapi would operate off of a whitelist for NTLM as well.
NTLM and Kerberos work very differently in that regard. Kerberos is ticket-based so the client *first* has to obtain a ticket from the domain's KDC, so a malicious server at minimum needs to know what principal name to provide (i.e. which real server to try impersonating). And even if it does that, the ticket doesn't contain crackable hashes, just data encrypted with a key known only to the KDC and the real server. So the whitelist is only for privacy and/or performance reasons, I guess? NTLM is challenge/response without any third party, and yes, it requires the application to implement its own whitelisting to avoid the security problems. -- Mantas Mikulėnas <[email protected]>
